Educause Security Discussion mailing list archives
Re: regarding the critical DNS protocol vulnerability
From: Dick Jacobson <Dick.Jacobson () NDUS NODAK EDU>
Date: Fri, 11 Jul 2008 08:03:10 -0500
On Fri, 11 Jul 2008, Russell Fulton wrote:
On 11/07/2008, at 4:17 PM, Russ Harvey wrote:Unfortunately the ISC fixes we tried for BIND did not work. We are running 9.4.1-P1 so first went to 9.4.2-P1, then 9.5.0-P1, then 9.5.1b1. We found either exhausted file descriptors, EDNS handling bugs, or just plain poor performance. We are back to 9.4.1-P1. Anyone else having problems with patching BIND for this problem?we are using RHE 5 and applied their standard updates without problems. I warned our admins about the potential performance issues and they upgraded just one of the four to see how it went. Everything was OK so we upgraded the other 3 too. Typically our servers get around 10,000 queries per minute... Russell
Is that really a fix from Red Hat ? This is the response I got from one of or sysads when I asked ... Red Hat has already released patches to bind that *reduce* the problem. The patches apparently just lessen the exposure though, they don't fix it. To fix it we would need to deploy DNSSEC. ----------------------------------------------------------------------- Dick Jacobson e-mail : Dick.Jacobson () ndus NoDak edu NDUS IT Security Officer office : STTC 219 phone : 701-231-6280 <NEW phone number> -----------------------------------------------------------------------
Current thread:
- regarding the critical DNS protocol vulnerability Doug Pearson (Jul 10)
- <Possible follow-ups>
- Re: regarding the critical DNS protocol vulnerability Russell Fulton (Jul 10)
- Re: regarding the critical DNS protocol vulnerability Russ Harvey (Jul 10)
- Re: regarding the critical DNS protocol vulnerability Russell Fulton (Jul 11)
- Re: regarding the critical DNS protocol vulnerability Dick Jacobson (Jul 11)
- Re: regarding the critical DNS protocol vulnerability Keir Novik (Jul 11)
- Re: regarding the critical DNS protocol vulnerability Lutinski, Steven T (Jul 11)
- Re: regarding the critical DNS protocol vulnerability Shumon Huque (Jul 12)